Can someone help me understand how OpenID works? I'm interested in the following answers:
I recently made an openid authentication system this is how it works.
login:
authenticate request:
there is a table that maps openid url to user.
for each request:
Do you still have to store userIDs and passwords if using openId?
userIDs yes, passwords no (unless you provide other ways to login except openid)
How does my application find out and create a new session when someone logs in?
Sessions are handled as normal, sessions are for authenticated and unauthenticated users.
When I use logs out of my own application, do I need to do anything more than just clear their session from my application? (Do I need to inform the openId server?)
Nope.
My understanding is the following:
OpenId allows users to log in in a decentralized manner. Which means the the user's login credentials are handled by one site, the provider
Your system will interact with the provider to determine if a user is who they say they are. If they pass that check, your system logs them in.
You still need to store some user information because the details of how they can use your system must be stored within your system.
So, if Google is an open id provider, SO can verify that I logged into google and am who I say I am. SO then says, great, this user is hvgotcodes in our system and gives me privileges that make sense for who I am in SO.
In answer to your specific question about logout, yes, you still log the user into your system after the open id provider verifies the users credentials, and hence you can handle their log out status from your own system.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With